Bug 1578872
Summary: | SELinux is preventing dovecot from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | alanh, bennie.joubert, crash70, dan, david.m.highley, dwalsh, goeran, janfrode, lvrabec, matt, mgrepl, mhlavink, mmalik, plautrba, pmoore, pokorra.mailinglists, predatorscan, rasibley, samuel-rhbugs |
Target Milestone: | --- | Flags: | alanh:
needinfo-
|
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:629dea9ed6dfe2c3adc5a318ce757a705af026b3c8c6b36b023f84be57daba25; | ||
Fixed In Version: | selinux-policy-3.14.1-36.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-29 03:22:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Griffiths
2018-05-16 14:19:58 UTC
Description of problem: systemctl restart dovecot SELinux is preventing dovecot from starting due to various dac_override. Thanks Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.8-300.fc28.x86_64 type: libreport What info is needed? # rpm -qa selinux-policy\* dovecot\* | sort dovecot-2.2.35-2.fc28.x86_64 selinux-policy-3.14.1-24.fc28.noarch selinux-policy-devel-3.14.1-24.fc28.noarch selinux-policy-targeted-3.14.1-24.fc28.noarch # ausearch -m avc -m user_avc -i ---- type=PROCTITLE msg=audit(05/23/2018 04:01:35.073:423) : proctitle=/usr/sbin/dovecot type=PATH msg=audit(05/23/2018 04:01:35.073:423) : item=0 name=/var/lib/dovecot/instances.lock nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(05/23/2018 04:01:35.073:423) : cwd=/run/dovecot type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc: denied { dac_override } for pid=18673 comm=dovecot capability=dac_override scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 ---- # ls -ld /var/lib/dovecot/ drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/ # ls -ld /var/lib/dovecot/ssl-parameters.dat -rw-r--r--. 1 root root 230 May 23 04:01 /var/lib/dovecot/ssl-parameters.dat # ls -l /var/lib/dovecot/ total 4 -rw-r--r--. 1 root root 230 May 23 04:01 ssl-parameters.dat # I ran it with path auditing enabled and got time->Sun May 27 12:34:17 2018 type=PROCTITLE msg=audit(1527449657.919:196): proctitle="/usr/sbin/dovecot" type=PATH msg=audit(1527449657.919:196): item=0 name="/var/run/dovecot/login/ipc-proxy" inode=103912 dev=00:16 mode=0140600 ouid=992 ogid=0 rdev=00:00 obj=system_u:object_r:dovecot_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 The issue is that processes lacking the dac_override SELinux permission have file permissions (rwx) enforced against them, even when running as root. # ls -l /var/run/dovecot/login/ipc-proxy srw-------. 1 dovenull root 0 May 27 12:34 /var/run/dovecot/login/ipc-proxy A dovecot process running as root is expecting to be able to access this file, but that isn't true any more. The file (and some others created for user dovenull) should probably be created with permissions 660 rather than 600. Moving to dovecot. Issue is more on dovecot side thant in SELinux side. From following syscall we can see that dovecot runs as root:root: type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc: denied { dac_override } for pid=18673 comm=dovecot capability=dac_override scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 nad trying to access file: drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/ There are no permissions for others. In DAC could root access all objects on system, but not in MAC. Please fix permissions on /var/lib/dovecot. *** Bug 1582729 has been marked as a duplicate of this bug. *** *** Bug 1560704 has been marked as a duplicate of this bug. *** TLDR; dovecot needs dac_override capability I've checked this and found out that the ownership and permissions as specified in the spec file are correct. If I change it to what was suggested, dovecot will complain and change it back. While it seems that this one (first) selinux denial message could be (maybe,theoretically) fixed, it will fail for other paths. Dovecot splits in a quite a few services (worker processes) and it's not possible to set the permissions and ownerships easily without creating a mess with many artificial ones and thats a no go. Dovecot itself is aware about this capability and that it requires it, see CapabilityBoundingSet at https://bit.ly/2sR2B3Y (this was later removed, as it broke some plugins that require even more) selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w
I cannot find this file in Android. How do I turn on fill auditing in Android.
Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w
I cannot find this file in Android. How do I turn on fill auditing in Android.
(In reply to Ali from comment #15) > I cannot find this file in Android. How do I turn on fill auditing in > Android. This is the bug tracker for the Fedora and Red Hat Linux distributions. Android issues are over at https://issuetracker.google.com/ |